US7360253B2 - System and method to lock TPM always ‘on’ using a monitor - Google Patents

Abstract

A computer may be secured from attack by including a trusted environment used to verify a known monitor. The monitor may be used to determine a state of the computer for compliance to a set of conditions. The conditions may relate to terms of use, such as credits available for pay-per-use, or that the computer is running certain software, such as virus protection, or that unauthorized peripherals are not attached, or that a required token is present. The monitor may send a signal directly or through the trusted environment to a watchdog circuit. The watchdog circuit disrupts the use of the computer when the signal is not received in a given timeout period.

Description

BACKGROUND

A trusted platform module (TPM) for use in computing devices such as personal computers is known. The purpose of a TPM is to provide computer identity and secure services related to transactions, licensing of application and media, protecting user data, and special functions.

Trusted platform modules are commercially available, for example, a TPM is available from STM Microelectronics, the ST19WP18 module. The TPM stores keys and subsequently uses those keys to authenticate application programs, Basic Input/Output System (BIOS) information, or identities. However, use of the TPM is voluntary and according to current and anticipated standards and implementations cannot be used to mandate a condition on the computing device. Some business models assume the computer is out of the direct control of the computer owner/supplier, for example, a pay-per-use business model. In such an instance, circumvention of TPM services may be possible, and if circumvention occurs, may have an undesirable negative impact on the business.

SUMMARY

A trusted platform module (TPM) may be used to authenticate a monitor program that enforces conditions on a computing device. Owner keys injected or written to the TPM may be used to require that a monitor approved by the owner is operational. In turn, the approved monitor has access to resources of the TPM by way of monitor's authenticated status. Such a secure resource of the TPM may be, for example, a general purpose input/output (GPIO) port. A simple watchdog timer may be configured to reset the computer on a timed interval unless the watchdog timer is restarted within the interval period by a signal received using the GPIO.

By configuring the computer in this manner, the TPM may be used to help ensure a known monitor is running, and the watchdog timer may be used to help ensure that neither the monitor nor the TPM are disabled or tampered.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a network interconnecting a plurality of computing resources;

FIG. 2 is a simplified and representative block diagram representative of a computer in accordance with an embodiment of the current disclosure;

FIG. 3 is a simplified and representative block diagram showing a hierarchical representation of functional layers within the computer ofFIG. 2;

FIG. 4 is a simplified and representative block diagram of a computer architecture of the computer ofFIG. 2;

FIG. 5 is a simplified and representative block diagram of an alternate computer architecture of the computer ofFIG. 2;

FIG. 6 is simplified and representative block diagram of the TPM; and

FIG. 7 is a flow chart depicting a method of locking-on a TPM using a monitor.

DETAILED DESCRIPTION

Although the following text sets forth a detailed description of numerous different embodiments, it should be understood that the legal scope of the description is defined by the words of the claims set forth at the end of this disclosure. The detailed description is to be construed as exemplary only and does not describe every possible embodiment since describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.

It should also be understood that, unless a term is expressly defined in this patent using the sentence “As used herein, the term ‘_{—————’} is hereby defined to mean . . . ” or a similar sentence, there is no intent to limit the meaning of that term, either expressly or by implication, beyond its plain or ordinary meaning, and such term should not be interpreted to be limited in scope based on any statement made in any section of this patent (other than the language of the claims). To the extent that any term recited in the claims at the end of this patent is referred to in this patent in a manner consistent with a single meaning, that is done for sake of clarity only so as to not confuse the reader, and it is not intended that such claim term by limited, by implication or otherwise, to that single meaning. Finally, unless a claim element is defined by reciting the word “means” and a function without the recital of any structure, it is not intended that the scope of any claim element be interpreted based on the application of 35 U.S.C. § 112, sixth paragraph.

Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions and integrated circuits (ICs) such as application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring the principles and concepts in accordance to the present invention, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts of the preferred embodiments.

FIG. 1 illustrates anetwork10 that may be used to implement a dynamic software provisioning system. Thenetwork10 may be the Internet, a virtual private network (VPN), or any other network that allows one or more computers, communication devices, databases, etc., to be communicatively connected to each other. Thenetwork10 may be connected to a personal computer12 and acomputer terminal14 via an Ethernetconnection16, arouter18, and alandline20. On the other hand, thenetwork10 may be wirelessly connected to alaptop computer22 and a personaldigital assistant24 via awireless communication station26 and awireless link28. Similarly, aserver30 may be connected to thenetwork10 using acommunication link32 and amainframe34 may be connected to thenetwork10 using anothercommunication link36.

FIG. 2 illustrates a computing device in the form of acomputer110. Components of thecomputer110 may include, but are not limited to aprocessing unit120, asystem memory130, and asystem bus121 that couples various system components including the system memory to theprocessing unit120. Thesystem bus121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.

Computer110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed bycomputer110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed bycomputer110. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer readable media.

Thesystem memory130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM)131 and random access memory (RAM)132. A basic input/output system133 (BIOS), containing the basic routines that help to transfer information between elements withincomputer110, such as during start-up, is typically stored inROM131.RAM132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on byprocessing unit120. By way of example, and not limitation,FIG. 2 illustrates operating system134,application programs135,other program modules136, andprogram data137.

Thecomputer110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only,FIG. 2 illustrates ahard disk drive141 that reads from or writes to non-removable, nonvolatile magnetic media, amagnetic disk drive151 that reads from or writes to a removable, nonvolatilemagnetic disk152 and anoptical disk drive155 that reads from or writes to a removable, nonvolatileoptical disk156 such as a CD ROM or other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not united to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, and the like. Thehard disk drive141 is typically connected to thesystem bus121 through a non-removable memory interface such asinterface140, andmagnetic disk drive151 andoptical disk drive155 are typically connected to thesystem bus121 by a removable memory interface, such asinterface150.

The drives and their associated computer storage media discussed above and illustrated inFIG. 2, provide storage of computer readable instructions, data structures, program modules and other data for thecomputer110. InFIG. 2, for example,hard disk drive141 is illustrated as storingoperating system144,application programs145,other program modules146, and program data147. Note that these components can either be the same as or different from operating system134,application programs135,other program modules136, andprogram data137.Operating system144,application programs145,other program modules146, and program data147 are given different numbers here to illustrate that, at a minimum, they are different copies. A user may enter commands and information into thecomputer20 through input devices such as akeyboard162 and pointingdevice161, commonly referred to as a mouse, trackball or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to theprocessing unit120 through auser input interface160 that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). Acathode ray tube191 or other type of display device s also connected to thesystem bus121 via an interface, such as avideo interface190. In addition to the monitor, computers may also include other peripheral output devices such asspeakers197 andprinter196, which may be connected through an outputperipheral interface190.

Thecomputer110 may operate in a networked environment using logical connections to one or more remote computers, such as aremote computer180. Theremote computer180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to thecomputer110, although only amemory storage device181 has been illustrated inFIG. 1. The logical connections depicted inFIG. 1 include a local area network (LAN)171 and a wide area network (WAN)173, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

When used in a LAN networking environment, thecomputer110 is connected to theLAN171 through a network interface oradapter170. When used in a WAN networking environment, thecomputer110 typically includes amodem172 or other means for establishing communications over theWAN173, such as the Internet. Themodem172, which may be internal or external, may be connected to thesystem bus121 via theuser input interface160, or other appropriate mechanism. In a networked environment, program modules depicted relative to thecomputer110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation,FIG. 1 illustratesremote application programs185 as residing onmemory device181.

Thecommunications connections170172 allow the device to communicate with other devices. Thecommunications connection170172 are an example of communication media. The communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. A “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Computer readable media may include both storage media and communication media.

The trustedplatform module125 or other trusted environment, discussed in more detail below, may store data, and keys and verify executable code and data. The trusted platform module specification states in section 4.5.2.1, “As part of system initialization, measurements of platform components and configurations will be taken. Taking measurements will not detect unsafe configurations nor will it take action to prevent continuation of the initialization process. This responsibility rests with a suitable reference monitor such as an operating system.” Because the TPM is not defined as an enforcement tool the further enhancements described below supplement the common TPM.

Awatchdog circuit126 may be configured to measure a period of time and when the time expires trigger asignal127 that disrupts the operation of thecomputer110. The disruption may be a system reset that causes thecomputer110 to reboot. The disruption may interrupt data on thesystem bus121 or a peripheral bus. To prevent thewatchdog126 from disrupting the operation of thecomputer110, a signal overcommunication connection128 may be required to reset the period of time and start the timing process again. As shown inFIG. 2, the watchdog timer reset signal may be carried overcommunication connection128. As discussed more below, theTPM125 may initiate the watchdog timer reset responsive to a signal from a monitor program. The steps described in the following may be used to help ensure that a specific, desired, monitor is present and operating by using the combination of theTPM125 andwatchdog circuit126.

FIG. 3, a simplified block diagram showing a hierarchical representation of functional layers within a representative computer such as that ofFIG. 2, is discussed and described. A trustedplatform module202 may be hardware that resides below the basic input/output structure (BIOS)204. TheTPM202 may act as a resource to the computer and higher level operations, such as theBIOS204. The BIOS may activate amonitor206. Themonitor206 resides below theoperating system208 at themonitor level210. Themonitor206 may access and use resources of theTPM202 to carry out policies associated with the operation of higher level entities. Theoperating system208 supports the major functions of thecomputer110 and may be responsible (after initial bootstrap processes hand over control) for communication, user input/output, disk and other memory access, application launch, etc. The operating system may also directly access and use theTPM202. As shown, first andsecond applications212214 may run on theoperating system208. In some cases, the monitor may enforce policies related to both theoperating system208 and theapplications212214. For example, beforeapplication214 may be launched fromdisk216, the operating system may check licensing status, depicted byline218, to determine if theapplication214 meets a given criteria for launching. The criteria for launch and subsequent metering of applications using a monitor function are discussed in more detail in US patent application “Method for Pay-As-You-Go Computer and Dynamic Differential Pricing” filed on Dec. 8, 2004 as Ser. No. 11/006,837. Briefly, themonitor206 may be used to measure and meter application programs, utilities and computer resources, for example, in a pay-per-use or pre-paid scenario.

Referring briefly toFIG. 6, theTPM202 is discussed in more detail. TheTPM202 may have aninternal memory502 comprising both volatile and non-volatile memory, at least part of which may be secure from tampering or unauthorized write operations. The memory may store anowner key504 for use in validating entities that claim affiliation with the owner for the purpose of configuring theTPM202 and for establishing trust with an outside entity. The memory may also include, among other things, a platform configuration register (PCR)506. ThePCR506 may be used to store a hash or other strong identifier associated with themonitor206. TheTPM202 may also include aclock508 andcryptographic services510. Both may be used in the authentication and authorization processes as will be discussed below in more detail. TheTPM202 may also include abus512, sometimes referred to as a Single-pin Bus or general purpose input/output (GPIO). In one embodiment, theGPIO512 may be coupled to the watchdog circuit, as described elsewhere.

TheTPM202 may also be coupled to ageneral purpose bus514 for data communication within the computer, for example, a process running themonitor206. Using thebus514, or in some cases anothermechanism516, theTPM202 may be able to measure the monitor. The measurement of the monitor may include checking a cryptographic hash of the monitor, that is, checking a hash of the memory range occupied by the monitor. The PCR may be used to store themeasurement data506. Theowner key504 may be affiliated with the hash of themonitor506, for example, by a digitally signed hash of the monitor that requires theowner key504 for confirmation. Theowner key504 may be written or injected into theTPM202 at the time of manufacture, or later, for example, at the time of delivery to a customer. Theowner key504, then, is used to authenticate themonitor206.

In an exemplary embodiment, themonitor206 is measured by a trusted module preceding it in the boot sequence, for example, by theBIOS204. The monitor measurement, such as a hash computed by theBIOS204, may be stored in theTPM PCR506 via thebus514. When theTPM202 validates the measurement (hash), theTPM202 may then allow access to themonitor206 unique keys and/or other secrets allocated to themonitor206 and stored in theTPM202. TheTPM202 will allocate to any monitor corresponding keys and secrets to whatever measurement the monitor's measurement matches.

The TPM may be programmed with anowner key504 and acorresponding monitor metric506, i.e. a hash of a knownmonitor206. The owner key is used to program or update themonitor metric506, such that only the entity in possession of theowner key504 may set the PCR register506 for the knownmonitor206. Thestandard TPM202 has a characteristic that only amonitor206 verified against a givenmeasurement506 may have control of theGPIO512. When theGPIO512 is connected in a tamper-resistant manner to thewatchdog circuit126, a chain of trust may be completed. That is, only a verifiedmonitor206 may control theGPIO512 and only theGPIO512 may be used to restart thewatchdog circuit126. Therefore, while themonitor206 may be replaced or altered, only themonitor206 verified byPCR506 set by theowner key506 may be used to restart the timer of thewatchdog circuit126. Thus only the authorized monitor may be used to prevent the watchdog from disrupting thecomputer110 by, for example, resetting, thecomputer110. The timer of thewatchdog circuit126 may be set to a period selected to allow restoration of a corrupted or tamperedcomputer110, but short enough to prevent significant useful work to be done on thecomputer110. For example, the watchdog may be set to disrupt thecomputer110 every 10-20 minutes, unless restarted by the validatedmonitor206.

Theowner secret504 and themonitor measurement506 may be programmed in a secure manufacturing environment, or may be field programmed using transport keys known to the entity programming theowner key504. Once theowner key504 is known, the programming entity, for example, a service provider, may set the measurement of the monitor that will determine what monitor is given access to the GPIO bus. Theowner key504 may be required to re-program the owner key. The use of derived keys may facilitate key distribution, scaling and protection from widespread loss should alocal owner key504 be compromised. Key management techniques are known in the data security arts.

FIG. 4 is a block diagram of a representative architecture of a computer300, the same or similar tocomputer110. The computer may have a first and second interface bridges302304. The interface bridges302304 may be connected by ahigh speed bus306. Thefirst interface bridge302 may be connected to aprocessor308,graphics controller310 andmemory312. Thememory312 may host amonitor program314, as well as other general purpose memory uses.

Thesecond interface bridge304 may be connected to peripheral buses and components, for example, universal serial bus (USB)316, Integrated Drive Electronics (IDE)318, or Peripheral Component Interconnect (PCI)320, used to connect disk drives, printers, scanners, etc. The second interface bridge may also be connected to aTPM322. As discussed above, theTPM322 may havesecure memory324 for key and hash data, and a general purpose input/output (GPIO)326. TheTPM322 may be physically or logically coupled to the monitor byconnection328. As discussed, theBIOS204 may measure themonitor206 and store the measurement in theTPM322, which allocates to themonitor314 keys and secrets corresponding to the provided measurement. Themonitor314 is therefore given access to the resources and data locked with these keys and secrets. Theconnection328 may also be used by the monitor to control theGPIO326 for the purpose of sending a signal to thewatchdog circuit330. The signal may cause the watchdog to reset. When the signal is not received by thewatchdog circuit330 in a time period proscribed by a setting in thewatchdog circuit330, a reset, or other disruptive signal may be sent overconnection332. To discourage tampering, the connection between theGPIO326 and thewatchdog circuit330 may be protected, for example, by potting or routing between circuit board layers to prevent manual restarting of thewatchdog circuit330. The computer resetsignal connection332 may be similarly protected from tampering, or at least a portion of thereset signal connection332 between thewatchdog circuit330 and the main processor computer reset point (not depicted).

FIG. 5 is a representative block diagram of an alternate architecture of the computer ofFIG. 2. Comparing to the description ofFIG. 4, like numbered components are the same. Thewatchdog circuit330 has been moved into thesecond interface bridge304 showing a representative illustration of how thewatchdog circuit330 may be combined into another circuit to improve tamper resistance. The integration of thewatchdog circuit330 to the secondinterface bridge chip304, while itself appropriate, is only illustrative. Since thesecond interface bridge304 is a major component of the computer architecture, the desired level of disruption may be carried forth from within thesecond interface bridge304. Therefore, a connection from a watchdog circuit external to thesecond interface bridge304, such asconnection332, may not be required.

In this alternate architecture, theGPIO326 may not be used to signal the reset to thewatchdog circuit330. Instead, a message may be sent overlogical connection334 directly from themonitor314 to thewatchdog circuit330.

Because a sufficient level of trust may not exist between the two entities (314330) the message may be signed using keys held in theTPM322. For example, these keys may be associated with themonitor314 during first boot (e.g. on the manufacturing line—for the sake of trustworthiness). Keys may be assigned arbitrarily, or, as mentioned above, keys may be hierarchically derived from a master key and known data such as a root certificate, serial number or manufacturing sequence number, etc. Thewatchdog timer330 may be configured to respect only messages signed using these keys, for example, during the first boot of thecomputer110 on the assembly line. In addition, the monitor locks these keys into theTPM322, such that only amonitor314 identically measured has access to these keys. A variant of this architecture is that the monitor relies on theTPM322 to allocate it these keys uniquely and respectively to its measurement.

During normal operation themonitor314 may request theTPM322 to sign on its behalf the message to be sent to thewatchdog timer330. TheTPM322 signs the message with the keys that correspond to the monitor314 (per its measurement that was stored into theTPM322 by the BIOS during each boot). Themonitor314 may receive the signed message from theTPM322 over logical connection, for example,connection328 and then provide it to thewatchdog circuit330 overlogical connection334.

When thewatchdog circuit330 receives the message, thewatchdog circuit330 may use the keys (set during manufacturing) to authenticate the message. Alternately, it may request verification using key or secret in theTPM322 usinglogical connection336. If another monitor is running, it will measure differently, resulting in different keys & secrets being allocated by the TPM. Therefore, the alternate monitor will not be able to sign the message properly such that it will be authenticated by thewatchdog circuit330. Consequently, thewatchdog circuit330 will initiate a sanction, such as firing a reset of thecomputer110 after the expiration of its timing interval. The use of signed or encrypted messages may reduce the opportunity for attacks on thelogical connections328 and334.

FIG. 7, a flowchart illustrating a method to lock a trusted platform module (TPM) always “on” using monitor, is discussed and described. A typical TPM, for example,TPM125 may be optionally enabled by the user. As described below, the method will help ensure that both theTPM125 remains enabled, and that amonitor206 selected by the owner of the business will be executed, at the risk of sanctions such as disabling thecomputer110.

Starting with application of power at thestart402, thecomputer110 may initiate the various hardware components through normal boot mechanisms. This applies to theTPM322 as well. The boot sequence may follow a Trusted Computing Platform Alliance (TCPA) methodology. The Core Root of Trust for Measurements(CRTM) (not depicted) measures theBIOS133 andstores403 its measurement into theTPM322. Then the CRTM loads and executes theBIOS133. (The CRTM may ideally be stored in a trustworthy location in thecomputer110 which is very difficult to attack).

TheBIOS133 may execute in a conventional fashion, initiating and enumerating various computer components, with one exception—it may measure each software module before loading and executing it. Also, it may store these measurements into theTPM322. Particularly, it may measure themonitor314 andstore405 the monitor measurement into theTPM322.

TheTPM322 allocates 408 keys and secrets uniquely and respectively to the monitor measurement. The essence is that theTPM322 consistently allocates 408 unique keys & secrets that correspond to a given measurement. Consequently, the secrets available to amonitor314 are unique, consistent and respective. As a result any monitor may lock resources such that will be exclusively available only to that particular monitor. For example, this enables the linking of thegenuine monitor314 to thewatchdog circuit330 by programming theGPIO326 connected to thewatchdog circuit330 to respect only the measurement associated with thegenuine monitor314. TheGPIO326 is then available only to a monitor that measures identically to thegenuine monitor314.

Regardless of whether the loaded monitor is genuine or not, the boot sequence loads and executes410 the monitor. The normal boot process may continue411 and assuming a successful boot,normal operation412 of thecomputer110 follows.

As soon as themonitor314 is loaded and executed at410 it starts its loop (413-419). First, themonitor314 sends413 a message to thewatchdog circuit330 via theTPM GPIO326. The message may signal theTPM322 to use theGPIO326 to signal thewatchdog circuit330 to restart its timer (not depicted).

After sending the message to theTPM322, the monitor returns to thetesting state414. The monitor may test414 that the state of thecomputer110 complies with a current policy. The current policy may involve the specific presence or absence of known programs, utilities or peripherals. The test may also be related to metering or other pay-per-use metrics. For example, the test may check for available provisioning packets for consumption vs. specific application program operation. In another embodiment, the test may be related to operation during a specific time period, such as calendar month.

When thetest414 fails, the No branch may be followed416, where the monitor acts in accordance with the policy. The action may be just a warning code sent to the operating system or a warning message presented to user. The action may be some sanction imposed on the operating system and user, e.g. limiting or eliminating a certain function of the computer. This may apply to hardware and/or software functions. For instance, the computer may be slowed down, certain software may be disabled, or certain devices may be disabled, e.g. a webcam. More severe sanctions may be to limit the amount of RAM available to the OS, or to reduce the Instruction-Set-Architecture available to the operating system. In an exemplary embodiment, one course of action available to themonitor314 when a non-compliant condition is found may be to not take action to restart the timer of thewatchdog circuit330 and let thewatchdog circuit330 impose a sanction.

When the test succeeds, the Yes branch from414 may be followed. In either case, execution waits419 for an interval before returning to step413. The wait interval avoids exhausting the computer's resources by repeatedly running themonitor314. Obviously, thiswait interval419 should be some fraction of the watchdog timer counting period. The determination of a usable fraction may be the likelihood that normal operation of the computer would delay execution completion of the loop. Then the loop returns to step413 discussed above. The period for repeating the loop may be set to any time less than the watchdog circuit timeout period, otherwise an unwarranted disruption may take place.

When theTPM322 receives420 the message, theTPM322 acts according to the monitor measurement. If the measurement is deemednon-genuine420 fails, the No branch may be taken tobox422, which takes no action, i.e. the signal to thewatchdog circuit330 is not sent. No further action may be needed by theTPM322 because thewatchdog circuit330 will disrupt thecomputer110 unless steps are taken to stop it. Optionally, theTPM322 may, at422, generate an error for logging generate a warning/error code, notify the operating system and may display a message to the user.

When theTPM322 verifies that the monitor measurement is genuine, theGPIO326 may be activated to signal424 thewatchdog circuit330 to restart its timer. As discussed above, restarting the watchdog circuit timer prevents thewatchdog circuit330 from initiating a disruptive action, such as a reset of thecomputer110. Thewatchdog circuit330 may then restart426 the timer at its initial value. The timer will then count428 and test430 for expiration of a pre-determined time. The timer period may be settable. Timer implementation is known and whether the timer counts up to a given number, down to zero, counts to a set clock time, or other mechanism, is a design choice.

If the timer has not expired, the no branch from430 may be taken back to428, which will take another count from the timer. When time has expired, the yes branch from430 may be taken and the watchdog may enforce a sanction by disrupting432 the computer. The disruption may be a system reset, causing a re-boot, disabling of peripherals, etc. The period for the watchdog circuit timer to count down to adisruption432 may be enough to allow a user to correct a non-compliant condition on thecomputer110, but should be frequent enough to restrict reliable or useful activity on thecomputer110.

The link from432 to426 may be conceptual. If the disruption is implemented by a reset of the whole computer, this link is moot. In the event of a more subtle disruption, e.g. slowing the computer down, this link is used to restart the count down and may result in a more disabling disruption, for example, cause a reset.

It can be seen that two purposes of the owner of a business associated with supplying computers on a pay-per-use or other underwriter may be accomplished by the above method. First, if theTPM322 is disabled because the user opted out of using theTPM322 or hacked the computer to disable theTPM322, messages to thewatchdog circuit330 will not be generated and thecomputer110 will be disrupted.

Similarly, if theTPM322 is enabled and operational, but the monitor is altered or replaced, possibly to alter or ignore the policies in effect (e.g. usage policies), the TPM will not honor the monitor requests. Practically, an altered monitor measurement is different than the measurement of the genuine monitor. Consequently, when the monitor measurement is stored into theTPM322, it will allocate a set of keys and secrets respective and unique to the altered monitor, and different from those needed for operation of theGPIO326. As a result any message from the altered monitor to the TPM to signal theGPIO326 will not be honored. Therefore, thewatchdog circuit330 will not receive restart signals and thecomputer110 will be disrupted.

In both cases, theTPM322 must be enabled and thegenuine monitor314 must be in place and operational for correct operation of thecomputer110.

Other uses for the above method and apparatus may be envisioned. For example, part of the boot process may require presentation of credentials by an authorized user. If correct credentials are not presented, the boot process may not load the genuine monitor, which will ultimately result in the disabling of thecomputer110.

Claims (9)

1. A computer implementing a trusted computing base for enforcing operation of a monitor, the computer comprising:

a processor for executing the monitor;

a trusted environment coupled to the processor for ensuring execution of the monitor, the trusted environment adapted to receive a message from the monitor; and

a watchdog circuit coupled to the trusted environment, comprising a timer for determining a period, the watchdog circuit disrupting the computer after the period, unless the trusted environment receives the message within the period, and the watchdog circuit receives a signed restart signal to restart the timer, when the signed restart signal is verified.

2. The computer ofclaim 1, wherein the trusted environment cryptographically identifies the monitor.

3. The computer ofclaim 1, wherein the trusted environment further comprises a general purpose input/output port and the monitor is given access to the general purpose input/output port after being cryptographically identified.

4. The computer ofclaim 1, wherein the trusted environment is coupled to the watchdog circuit via a dedicated communication link.

5. The computer ofclaim 1, wherein the watchdog circuit causes the computer to reboot when disrupting the computer.

6. The computer ofclaim 5, wherein a signal causing the computer to reboot is carried on a conductor, the conductor adapted for resistance to tampering.

7. The computer ofclaim 1, wherein the monitor verifies a token at least once in conjunction with sending the message.

8. The computer ofclaim 7, wherein the token comprises a version number for use by the monitor in determining whether the monitor is the current version.

9. A method of encouraging a known operating state in a computer comprising:

executing a known monitor;

sending a signal from the known monitor to a trusted environment before sending the signal to a watchdog circuit; and

preventing the watchdog circuit from disrupting an operation of the computer responsive to the signal.

Images